Implementer lens
Use this page when designing people controls, assigning owners, creating records, and preparing implementation evidence.
Implementation objectives
| Control | Practical objective | Main owner | Core records |
|---|---|---|---|
| A.6.1 Screening | Verify personnel suitability before trust or sensitive access is granted | HR / recruitment / hiring manager | Personnel Screening Register, Background Verification Checklist |
| A.6.2 Terms and Conditions of Employment | Make security responsibilities explicit before work or access begins | HR / legal / procurement | Security Terms and Conditions Checklist, Confidentiality Agreement Register, Personnel Security Responsibility Acknowledgement |
| A.6.3 Information Security Awareness Education and Training | Make personnel competent and aware before they handle information, systems, or security responsibilities | HR / security / managers / training owner | Security Awareness and Training Plan, Role-Based Security Training Matrix, Security Training Record |
| A.6.4 Disciplinary Process | Formalize fair and evidence-based response to security policy violations | HR / legal / security / managers | Disciplinary Process Checklist, Policy Violation and Disciplinary Action Register |
| A.6.5 Responsibilities After Termination or Change of Employment | Remove old access/assets and communicate continuing duties for leavers and movers | HR / IT / facilities / managers | Leaver and Role Change Security Checklist, Post-Employment Security Responsibilities Register |
| A.6.6 Confidentiality or Non-Disclosure Agreements | Identify, sign, review, and enforce confidentiality/NDA requirements before information access | Legal / HR / procurement / information owners | Confidentiality Agreement Register, Confidentiality Agreement Review Checklist |
| A.6.7 Remote Working | Authorize and control remote work by user, activity, location, data, equipment, and control set | HR / IT / security / managers | Remote Working Authorization Register, Remote Working Security Checklist, Remote Working Risk Assessment |
| A.6.8 Information Security Event Reporting | Provide simple, timely reporting channels for observed or suspected security events | Security / service desk / managers | Information Security Event Report Form, Information Security Event Reporting Channel Register |
Implementation workflow
- Identify people categories in ISMS scope: employees, contractors, temporary staff, consultants, and third-party users.
- Map role risk using access level, information classification, business criticality, and legal obligations.
- Define screening and contractual requirements proportionate to role risk.
- Embed requirements into onboarding, contractor onboarding, and access provisioning workflows.
- Define baseline awareness and supplementary training for specialist roles.
- Define disciplinary triggers and evidence thresholds for security policy violations.
- Define leaver, mover, access removal, asset return, and continuing duty workflows.
- Identify confidentiality/NDA needs before confidential information is shared.
- Authorize remote working only after required physical, endpoint, connection, access, and data controls are defined.
- Provide reporting mechanisms and training for observed or suspected information security events.
- Protect personnel, screening, training, disciplinary, offboarding, remote working, and event records as personal data where applicable.
- Trigger updated checks, acknowledgements, training, agreements, access changes, or reporting procedures when role, access, policy, procedure, location, or threat context changes.
- Link evidence to the Statement of Applicability and Risk Assessment.
Implementation decisions
| Decision | Why it matters |
|---|---|
| Which people categories are in ISMS scope? | Prevents contractors and third-party users from falling outside controls |
| Which roles require stronger screening? | Keeps screening proportional and lawful |
| What must be completed before access? | Prevents late controls after trust is already granted |
| Who owns personnel security evidence? | A.6 evidence often lives in HR, legal, procurement, and managers’ records |
| How long are records retained? | Avoids privacy and records-protection failures |
| Which roles need supplementary training? | Prevents annual generic awareness from being mistaken for competence |
| What evidence is enough before disciplinary action? | Prevents unfair or inconsistent response to security violations |
| How are movers handled? | Prevents old access and segregation-of-duties conflicts |
| Which confidentiality agreement applies? | Prevents generic NDAs from missing real information-protection needs |
| Which remote work contexts are allowed? | Prevents VPN access from being mistaken for controlled remote work |
| What should personnel report? | Prevents under-reporting and false confidence from “no events” |
Related maps
- Iso27001
- ISO27002
- Implementer guide
- People controls
Note Metadata
Aliases: A.6 Implementation Guide
Source: 05 Implementer Guide/A.6 People Controls Implementation Guide.md
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.6.1 - Screening
- ISO 27001 A.6.2 - Terms and Conditions of Employment
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- ISO 27001 A.6.4 - Disciplinary Process
- ISO 27001 A.6.5 - Responsibilities After Termination or Change of Employment
- ISO 27001 A.6.6 - Confidentiality or Non-Disclosure Agreements
- ISO 27001 A.6.7 - Remote Working
- ISO 27001 A.6.8 - Information Security Event Reporting
- A.6 People Controls MOC
- ISO 27001 Implementer Guide
- A.6 People Controls Implementation Audit Risk Mapping
- ISO 27001 Implementer Auditor ISO 27005 Mapping
- ISO 27002 Annex A Control Interpretation Map
- Background Verification Checklist
- Confidentiality Agreement Register
- Confidentiality Agreement Review Checklist
- Disciplinary Process Checklist
- Information Security Event Report Form
- Information Security Event Reporting Channel Register
- Leaver and Role Change Security Checklist
- Personnel Screening Register
- Personnel Security Responsibility Acknowledgement
- Policy Violation and Disciplinary Action Register
- Post-Employment Security Responsibilities Register
- Remote Working Authorization Register
- Remote Working Risk Assessment
- Remote Working Security Checklist
- Role-Based Security Training Matrix
- Security Awareness and Training Plan
- Security Terms and Conditions Checklist
- Security Training Record
- Annex A Controls MOC
- ISO 27001 Overview